openssh/sshd_config

#	$OpenBSD: sshd_config,v 1.32 2001/02/06 22:07:50 deraadt Exp $

# This is the sshd server system-wide configuration file.  See sshd(8)
# for more information.

Port 22
#Protocol 2,1
#ListenAddress 0.0.0.0
#ListenAddress ::
HostKey /etc/ssh_host_key
HostKey /etc/ssh_host_dsa_key
#HostKey /etc/ssh_host_rsa_key
ServerKeyBits 768
LoginGraceTime 600
KeyRegenerationInterval 3600
PermitRootLogin yes
#
# Don't read ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes
StrictModes yes
X11Forwarding no
X11DisplayOffset 10
PrintMotd yes
KeepAlive yes

# Logging
SyslogFacility AUTH
LogLevel INFO
#obsoletes QuietMode and FascistLogging

RhostsAuthentication no
#
# For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication no
#
RSAAuthentication yes

# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication yes
PermitEmptyPasswords no

# Uncomment to disable s/key passwords 
#ChallengeResponseAuthentication no

# To change Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#AFSTokenPassing no
#KerberosTicketCleanup no

# Kerberos TGT Passing does only work with the AFS kaserver
#KerberosTgtPassing yes

#CheckMail yes
#UseLogin no

#MaxStartups 10:30:60
#Banner /etc/issue.net
#ReverseMappingCheck yes

Subsystem	sftp	/usr/libexec/sftp-server
- djm@cvs.openbsd.org 2001/02/04 21:26:07 [sshd_config] type: ok markus@ - deraadt@cvs.openbsd.org 2001/02/06 22:07:50 [sshd_config] enable sftp-server by default 2001-02-10 23:26:35 +00:00			`# $OpenBSD: sshd_config,v 1.32 2001/02/06 22:07:50 deraadt Exp $`
- niklas@cvs.openbsd.org 2001/01/2001 [atomicio.h canohost.h clientloop.h deattack.h dh.h dispatch.h groupaccess.c groupaccess.h hmac.h hostfile.h includes.h kex.h key.h log.h login.h match.h misc.h myproposal.h nchan.ms pathnames.h radix.h readpass.h rijndael.h serverloop.h session.h sftp.h ssh-add.1 ssh-dss.h ssh-keygen.1 ssh-keyscan.1 ssh-rsa.h ssh1.h ssh_config sshconnect.h sshd_config tildexpand.h uidswap.h uuencode.h] $OpenBSD$ 2001-01-29 07:39:26 +00:00
NB: big update - may break stuff. Please test! - (djm) OpenBSD CVS sync: - markus@cvs.openbsd.org 2001/02/03 03:08:38 [auth-options.c auth-rh-rsa.c auth-rhosts.c auth.c canohost.c] [canohost.h servconf.c servconf.h session.c sshconnect1.c sshd.8] [sshd_config] make ReverseMappingCheck optional in sshd_config; ok djm@,dugsong@ - markus@cvs.openbsd.org 2001/02/03 03:19:51 [ssh.1 sshd.8 sshd_config] Skey is now called ChallengeResponse - markus@cvs.openbsd.org 2001/02/03 03:43:09 [sshd.8] use no-pty option in .ssh/authorized_keys* if you need a 8-bit clean channel. note from Erik.Anggard@cygate.se (pr/1659) - stevesk@cvs.openbsd.org 2001/02/03 10:03:06 [ssh.1] typos; ok markus@ - djm@cvs.openbsd.org 2001/02/04 04:11:56 [scp.1 sftp-server.c ssh.1 sshd.8 sftp-client.c sftp-client.h] [sftp-common.c sftp-common.h sftp-int.c sftp-int.h sftp.1 sftp.c] Basic interactive sftp client; ok theo@ - (djm) Update RPM specs for new sftp binary - (djm) Update several bits for new optional reverse lookup stuff. I think I got them all. 2001-02-04 12:20:18 +00:00			`# This is the sshd server system-wide configuration file. See sshd(8)`
			`# for more information.`
Initial revision 1999-10-27 03:42:43 +00:00
			`Port 22`
- OpenBSD CVS updates [channels.c] - fix pr 1196, listen_port and port_to_connect interchanged [scp.c] - after completion, replace the progress bar ETA counter with a final elapsed time; my idea, aaron wrote the patch [ssh_config sshd_config] - show 'Protocol' as an example, ok markus@ [sshd.c] - missing xfree() - Add missing header to bsd-misc.c 2000-04-19 06:26:12 +00:00			`#Protocol 2,1`
- (stevesk) sshd_config: sync 2001-01-09 15:28:46 +00:00			`#ListenAddress 0.0.0.0`
- Merged OpenBSD IPv6 patch: - [sshd.c sshd.8 sshconnect.c ssh.h ssh.c servconf.h servconf.c scp.1] [scp.c packet.h packet.c login.c log.c canohost.c channels.c] [hostfile.c sshd_config] ipv6 support: mostly gethostbyname->getaddrinfo/getnameinfo, new features: sshd allows multiple ListenAddress and Port options. note that libwrap is not IPv6-ready. (based on patches from fujiwara@rcac.tdi.co.jp) - [ssh.c canohost.c] more hints (hints.ai_socktype=SOCK_STREAM) for getaddrinfo, from itojun@ - [channels.c] listen on _all_ interfaces for X11-Fwd (hints.ai_flags = AI_PASSIVE) - [packet.h] allow auth-kerberos for IPv4 only - [scp.1 sshd.8 servconf.h scp.c] document -4, -6, and 'ssh -L 2022/::1/22' - [ssh.c] 'ssh @host' is illegal (null user name), from karsten@gedankenpolizei.de - [sshconnect.c] better error message - [sshd.c] allow auth-kerberos for IPv4 only - Big IPv6 merge: - Cleanup overrun in sockaddr copying on RHL 6.1 - Replacements for getaddrinfo, getnameinfo, etc based on versions from patch from KIKUCHI Takahiro <kick@kyoto.wide.ad.jp> - Replacement for missing structures on systems that lack IPv6 - record_login needed to know about AF_INET6 addresses - Borrowed more code from OpenBSD: rresvport_af and requisites 2000-01-14 04:45:46 +00:00			`#ListenAddress ::`
- Big manpage and config file cleanup from Andre Lucas <andre.lucas@dial.pipex.com> - Re-added latest (unmodified) OpenBSD manpages 2000-01-20 12:13:36 +00:00			`HostKey /etc/ssh_host_key`
- (djm) Merge OpenBSD changes: - markus@cvs.openbsd.org 2000/11/06 16:04:56 [channels.c channels.h clientloop.c nchan.c serverloop.c] [session.c ssh.c] agent forwarding and -R for ssh2, based on work from jhuuskon@messi.uku.fi - markus@cvs.openbsd.org 2000/11/06 16:13:27 [ssh.c sshconnect.c sshd.c] do not disabled rhosts(rsa) if server port > 1024; from pekkas@netcore.fi - markus@cvs.openbsd.org 2000/11/06 16:16:35 [sshconnect.c] downgrade client to 1.3 if server is 1.4; help from mdb@juniper.net - markus@cvs.openbsd.org 2000/11/09 18:04:40 [auth1.c] typo; from mouring@pconline.com - markus@cvs.openbsd.org 2000/11/12 12:03:28 [ssh-agent.c] off-by-one when removing a key from the agent - markus@cvs.openbsd.org 2000/11/12 12:50:39 [auth-rh-rsa.c auth2.c authfd.c authfd.h] [authfile.c hostfile.c kex.c kex.h key.c key.h myproposal.h] [readconf.c readconf.h rsa.c rsa.h servconf.c servconf.h ssh-add.c] [ssh-agent.c ssh-keygen.1 ssh-keygen.c ssh.1 ssh.c ssh_config] [sshconnect1.c sshconnect2.c sshd.8 sshd.c sshd_config ssh-dss.c] [ssh-dss.h ssh-rsa.c ssh-rsa.h dsa.c dsa.h] add support for RSA to SSH2. please test. there are now 3 types of keys: RSA1 is used by ssh-1 only, RSA and DSA are used by SSH2. you can use 'ssh-keygen -t rsa -f ssh2_rsa_file' to generate RSA keys for SSH2 and use the RSA keys for hostkeys or for user keys. SSH2 RSA or DSA keys are added to .ssh/authorised_keys2 as before. - (djm) Fix up Makefile and Redhat init script to create RSA host keys - (djm) Change to interim version 2000-11-13 11:57:25 +00:00			`HostKey /etc/ssh_host_dsa_key`
- (stevesk) sshd_config: sync 2001-01-09 15:28:46 +00:00			`#HostKey /etc/ssh_host_rsa_key`
Initial revision 1999-10-27 03:42:43 +00:00			`ServerKeyBits 768`
			`LoginGraceTime 600`
			`KeyRegenerationInterval 3600`
			`PermitRootLogin yes`
- Big manpage and config file cleanup from Andre Lucas <andre.lucas@dial.pipex.com> - Re-added latest (unmodified) OpenBSD manpages 2000-01-20 12:13:36 +00:00			`#`
			`# Don't read ~/.rhosts and ~/.shosts files`
			`IgnoreRhosts yes`
			`# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication`
			`#IgnoreUserKnownHosts yes`
Initial revision 1999-10-27 03:42:43 +00:00			`StrictModes yes`
- Merged changes from OpenBSD CVS - [sshd.c] session_key_int may be zero - [auth-rh-rsa.c servconf.c servconf.h ssh.h sshd.8 sshd.c sshd_config] IgnoreUserKnownHosts(default=no), used for RhostRSAAuth, ok deraadt,millert - Brought default sshd_config more in line with OpenBSDs 1999-11-12 00:33:04 +00:00			`X11Forwarding no`
Initial revision 1999-10-27 03:42:43 +00:00			`X11DisplayOffset 10`
			`PrintMotd yes`
			`KeepAlive yes`
- Tidied default config file some more - Revised Redhat initscript to fix bug: sshd (re)start would fail if executed from inside a ssh login. 1999-11-13 12:56:35 +00:00
- Big manpage and config file cleanup from Andre Lucas <andre.lucas@dial.pipex.com> - Re-added latest (unmodified) OpenBSD manpages 2000-01-20 12:13:36 +00:00			`# Logging`
- (stevesk) sshd_config: sync 2001-01-09 15:28:46 +00:00			`SyslogFacility AUTH`
- Tidied default config file some more - Revised Redhat initscript to fix bug: sshd (re)start would fail if executed from inside a ssh login. 1999-11-13 12:56:35 +00:00			`LogLevel INFO`
- Big manpage and config file cleanup from Andre Lucas <andre.lucas@dial.pipex.com> - Re-added latest (unmodified) OpenBSD manpages 2000-01-20 12:13:36 +00:00			`#obsoletes QuietMode and FascistLogging`
Cleanup of default config for new LogLevel option and better readability 1999-11-11 10:07:00 +00:00
- Tidied default config file some more - Revised Redhat initscript to fix bug: sshd (re)start would fail if executed from inside a ssh login. 1999-11-13 12:56:35 +00:00			`RhostsAuthentication no`
- Merged changes from OpenBSD CVS - [sshd.c] session_key_int may be zero - [auth-rh-rsa.c servconf.c servconf.h ssh.h sshd.8 sshd.c sshd_config] IgnoreUserKnownHosts(default=no), used for RhostRSAAuth, ok deraadt,millert - Brought default sshd_config more in line with OpenBSDs 1999-11-12 00:33:04 +00:00			`#`
- Big manpage and config file cleanup from Andre Lucas <andre.lucas@dial.pipex.com> - Re-added latest (unmodified) OpenBSD manpages 2000-01-20 12:13:36 +00:00			`# For this to work you will also need host keys in /etc/ssh_known_hosts`
			`RhostsRSAAuthentication no`
- Merged changes from OpenBSD CVS - [sshd.c] session_key_int may be zero - [auth-rh-rsa.c servconf.c servconf.h ssh.h sshd.8 sshd.c sshd_config] IgnoreUserKnownHosts(default=no), used for RhostRSAAuth, ok deraadt,millert - Brought default sshd_config more in line with OpenBSDs 1999-11-12 00:33:04 +00:00			`#`
Initial revision 1999-10-27 03:42:43 +00:00			`RSAAuthentication yes`

			`# To disable tunneled clear text passwords, change to no here!`
			`PasswordAuthentication yes`
			`PermitEmptyPasswords no`
NB: big update - may break stuff. Please test! - (djm) OpenBSD CVS sync: - markus@cvs.openbsd.org 2001/02/03 03:08:38 [auth-options.c auth-rh-rsa.c auth-rhosts.c auth.c canohost.c] [canohost.h servconf.c servconf.h session.c sshconnect1.c sshd.8] [sshd_config] make ReverseMappingCheck optional in sshd_config; ok djm@,dugsong@ - markus@cvs.openbsd.org 2001/02/03 03:19:51 [ssh.1 sshd.8 sshd_config] Skey is now called ChallengeResponse - markus@cvs.openbsd.org 2001/02/03 03:43:09 [sshd.8] use no-pty option in .ssh/authorized_keys* if you need a 8-bit clean channel. note from Erik.Anggard@cygate.se (pr/1659) - stevesk@cvs.openbsd.org 2001/02/03 10:03:06 [ssh.1] typos; ok markus@ - djm@cvs.openbsd.org 2001/02/04 04:11:56 [scp.1 sftp-server.c ssh.1 sshd.8 sftp-client.c sftp-client.h] [sftp-common.c sftp-common.h sftp-int.c sftp-int.h sftp.1 sftp.c] Basic interactive sftp client; ok theo@ - (djm) Update RPM specs for new sftp binary - (djm) Update several bits for new optional reverse lookup stuff. I think I got them all. 2001-02-04 12:20:18 +00:00
- Big manpage and config file cleanup from Andre Lucas <andre.lucas@dial.pipex.com> - Re-added latest (unmodified) OpenBSD manpages 2000-01-20 12:13:36 +00:00			`# Uncomment to disable s/key passwords`
- djm@cvs.openbsd.org 2001/02/04 21:26:07 [sshd_config] type: ok markus@ - deraadt@cvs.openbsd.org 2001/02/06 22:07:50 [sshd_config] enable sftp-server by default 2001-02-10 23:26:35 +00:00			`#ChallengeResponseAuthentication no`
Initial revision 1999-10-27 03:42:43 +00:00
- Big manpage and config file cleanup from Andre Lucas <andre.lucas@dial.pipex.com> - Re-added latest (unmodified) OpenBSD manpages 2000-01-20 12:13:36 +00:00			`# To change Kerberos options`
Initial revision 1999-10-27 03:42:43 +00:00			`#KerberosAuthentication no`
			`#KerberosOrLocalPasswd yes`
			`#AFSTokenPassing no`
			`#KerberosTicketCleanup no`
- Big manpage and config file cleanup from Andre Lucas <andre.lucas@dial.pipex.com> - Re-added latest (unmodified) OpenBSD manpages 2000-01-20 12:13:36 +00:00
Initial revision 1999-10-27 03:42:43 +00:00			`# Kerberos TGT Passing does only work with the AFS kaserver`
			`#KerberosTgtPassing yes`
- Big manpage and config file cleanup from Andre Lucas <andre.lucas@dial.pipex.com> - Re-added latest (unmodified) OpenBSD manpages 2000-01-20 12:13:36 +00:00
- (stevesk) sshd_config: sync 2001-01-09 15:28:46 +00:00			`#CheckMail yes`
- (djm) Periodically rekey arc4random - (djm) Clean up diff against OpenBSD. 2000-08-29 22:40:09 +00:00			`#UseLogin no`
- OpenBSD CVS updates: - deraadt@cvs.openbsd.org 2000/06/17 09:58:46 [channels.c] everyone says "nix it" (remove protocol 2 debugging message) - markus@cvs.openbsd.org 2000/06/17 13:24:34 [sshconnect.c] allow extended server banners - markus@cvs.openbsd.org 2000/06/17 14:30:10 [sshconnect.c] missing atomicio, typo - jakob@cvs.openbsd.org 2000/06/17 16:52:34 [servconf.c servconf.h session.c sshd.8 sshd_config] add support for ssh v2 subsystems. ok markus@. - deraadt@cvs.openbsd.org 2000/06/17 18:57:48 [readconf.c servconf.c] include = in WHITESPACE; markus ok - markus@cvs.openbsd.org 2000/06/17 19:09:10 [auth2.c] implement bug compatibility with ssh-2.0.13 pubkey, server side - markus@cvs.openbsd.org 2000/06/17 21:00:28 [compat.c] initial support for ssh.com's 2.2.0 - markus@cvs.openbsd.org 2000/06/17 21:16:09 [scp.c] typo - markus@cvs.openbsd.org 2000/06/17 22:05:02 [auth-rsa.c auth2.c serverloop.c session.c auth-options.c auth-options.h] split auth-rsa option parsing into auth-options add options support to authorized_keys2 - markus@cvs.openbsd.org 2000/06/17 22:42:54 [session.c] typo 2000-06-18 04:50:44 +00:00
- (djm) OpenBSD CVS changes: - markus@cvs.openbsd.org 2000/07/22 03:14:37 [servconf.c servconf.h sshd.8 sshd.c sshd_config] random early drop; ok theo, niels - deraadt@cvs.openbsd.org 2000/07/26 11:46:51 [ssh.1] typo - deraadt@cvs.openbsd.org 2000/08/01 11:46:11 [sshd.8] many fixes from pepper@mail.reppep.com - provos@cvs.openbsd.org 2000/08/01 13:01:42 [Makefile.in util.c aux.c] rename aux.c to util.c to help with cygwin port - deraadt@cvs.openbsd.org 2000/08/02 00:23:31 [authfd.c] correct sun_len; Alexander@Leidinger.net - provos@cvs.openbsd.org 2000/08/02 10:27:17 [readconf.c sshd.8] disable kerberos authentication by default - provos@cvs.openbsd.org 2000/08/02 11:27:05 [sshd.8 readconf.c auth-krb4.c] disallow kerberos authentication if we can't verify the TGT; from dugsong@ kerberos authentication is on by default only if you have a srvtab. - markus@cvs.openbsd.org 2000/08/04 14:30:07 [auth.c] unused - markus@cvs.openbsd.org 2000/08/04 14:30:35 [sshd_config] MaxStartups - markus@cvs.openbsd.org 2000/08/15 13:20:46 [authfd.c] cleanup; ok niels@ - markus@cvs.openbsd.org 2000/08/17 14:05:10 [session.c] cleanup login(1)-like jobs, no duplicate utmp entries - markus@cvs.openbsd.org 2000/08/17 14:06:34 [session.c sshd.8 sshd.c] sshd -u len, similar to telnetd 2000-08-18 03:59:06 +00:00			`#MaxStartups 10:30:60`
- (bal) OpenBSD Sync - markus@cvs.openbsd.org 2001/01/08 22:29:05 [auth2.c compat.c compat.h servconf.c servconf.h sshd.8 sshd_config version.h] implement option 'Banner /etc/issue.net' for ssh2, move version to 2.3.1 (needed for bugcompat detection, 2.3.0 would fail if Banner is enabled). - markus@cvs.openbsd.org 2001/01/08 22:03:23 [channels.c ssh-keyscan.c] O_NDELAY -> O_NONBLOCK; thanks stevesk@pobox.com - markus@cvs.openbsd.org 2001/01/08 21:55:41 [sshconnect1.c] more cleanups and fixes from stevesk@pobox.com: 1) try_agent_authentication() for loop will overwrite key just allocated with key_new(); don't alloc 2) call ssh_close_authentication_connection() before exit try_agent_authentication() 3) free mem on bad passphrase in try_rsa_authentication() - markus@cvs.openbsd.org 2001/01/08 21:48:17 [kex.c] missing free; thanks stevesk@pobox.com 2001-01-09 00:35:42 +00:00			`#Banner /etc/issue.net`
NB: big update - may break stuff. Please test! - (djm) OpenBSD CVS sync: - markus@cvs.openbsd.org 2001/02/03 03:08:38 [auth-options.c auth-rh-rsa.c auth-rhosts.c auth.c canohost.c] [canohost.h servconf.c servconf.h session.c sshconnect1.c sshd.8] [sshd_config] make ReverseMappingCheck optional in sshd_config; ok djm@,dugsong@ - markus@cvs.openbsd.org 2001/02/03 03:19:51 [ssh.1 sshd.8 sshd_config] Skey is now called ChallengeResponse - markus@cvs.openbsd.org 2001/02/03 03:43:09 [sshd.8] use no-pty option in .ssh/authorized_keys* if you need a 8-bit clean channel. note from Erik.Anggard@cygate.se (pr/1659) - stevesk@cvs.openbsd.org 2001/02/03 10:03:06 [ssh.1] typos; ok markus@ - djm@cvs.openbsd.org 2001/02/04 04:11:56 [scp.1 sftp-server.c ssh.1 sshd.8 sftp-client.c sftp-client.h] [sftp-common.c sftp-common.h sftp-int.c sftp-int.h sftp.1 sftp.c] Basic interactive sftp client; ok theo@ - (djm) Update RPM specs for new sftp binary - (djm) Update several bits for new optional reverse lookup stuff. I think I got them all. 2001-02-04 12:20:18 +00:00			`#ReverseMappingCheck yes`
- djm@cvs.openbsd.org 2001/02/04 21:26:07 [sshd_config] type: ok markus@ - deraadt@cvs.openbsd.org 2001/02/06 22:07:50 [sshd_config] enable sftp-server by default 2001-02-10 23:26:35 +00:00
			`Subsystem sftp /usr/libexec/sftp-server`